Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

by Davis Wright Tremaine LLP
Contact

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming….
Has Congress really given the FTC Authority?
As we all know by now, the court rejected Wyndham’s arguments that the FTC’s Section 5 authority does not permit the Commission to create data-security standards for the private sector and enforce them under the “unfairness” prong of section 5. However, Judge Salas’ opinion lacks both an appreciation of the history of the FTC’s unfairness authority and any real analysis of whether this was an issue of (1) an agency’s choice between rulemaking and adjudication versus (2) a Congress’ deliberate withholding of authority from the Commission, with some very narrow exceptions.
In the 1970s, the FTC aggressively enforced its Section 5 authority, almost without limit; but these efforts were subject to significant criticism from many quarters:
The scholarly criticism tended to focus on the Commission’s failure to apply its unfairness criteria consistently and systematically rather than on inherent faults in the criteria. In connection with the Commission’s adjudicatory activities, it was criticized for following a “shifting course” that seemed “characterized by its efforts to test the outer limits of its [unfairness] jurisdiction in an essentially ad hoc manner,” and “utilizing multiple theories, sometimes in a single proceeding.”
See David L. Belt, “Should The FTC’s Current Criteria for Determining “Unfair Acts or Practices” Be Applied to State “Little FTC Acts?” (citing David A. Rice, Consumer Unfairness at the FTC: Misadventures in Law and Economics, 52 GEO. WASH. L. REV. 1, 26 (1984)). There are aspects to the FTC’s current activities that (somewhat unsettlingly) echo its prior attempts to test the limits of its powers.
Ultimately, concerns over inconsistency led to an FTC policy statement that served as a self-imposed constraint on the agency’s powers. This policy statement was later codified in amendments to the FTC Act in 1994, resulting in Section 5(n), which limits the FTC’s authority to find practices “unfair” to those that cause or are likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” Arguably, this was a significant narrowing of the FTC’s powers, first as a result of the agency’s own voluntary statements, and then by Congress expressly legislating that the agency has “no authority” to regulate outside the stated parameters.
This history provides an interesting backdrop for Judge Salas’ unfairness decision. Wyndham pointed to a number of public statements made by the FTC between 1998 and 2001—one of which was by the FTC Chairman before a Congressional committee, and one of which was in published guidance—in which the FTC stated that it did not have the power to generally enforce data security lapses under the unfairness prong. See Consumer Privacy on the World Wide Web, Hearing before H. Comm. on Commerce, Subcomm. on Telecomm., 105th Cong., at n.23 (July 21, 1998) (Chairman Robert Pitofsky stating that its authority was “limited in this context to ensuring that Web sites follow their stated information practices”); FTC, Privacy Online: Fair Information Practices in the Electronic Marketplace, at 33-34 (2000) (“As a general matter, however, the Commission lacks authority to require firms to adopt information practice policies or to abide by the fair information practice principles on their Web sites”). For those who have followed the agency in the ensuing years, it was abundantly clear that the FTC did in fact take this stated position.
Yet Judge Salas “was not convinced” that these statements added up to the type of unequivocal disavowals of authority that the FDA had given with respect to cigarette regulation, as addressed in Brown v. Williamson. One wonders what she would have made of the policy statement by the FTC in the 1980s self-imposing the limitations later codified in Section 5(n); perhaps it was the lack of “ratification” by Congress of the data security disavowals that troubled her, although the decision does not say so. Judge Salas did cite the fact that the FTC seemed to have reversed its position in subsequent years, suggesting that an agency should not be locked into its initial statutory interpretation, and pointing to a statement to that effect by the Supreme Court in Brown v. Williamson.
The Supreme Court, though, made this statement in a somewhat different context. The Court stated that the significance of the FDA’s consistent disavowal of authority over tobacco, for many years, was that it provided a framework against which Congress’ multiple tobacco-specific legislative enactments could be interpreted. While the FDA had shifted its position after many years and had begun asking Congress for authority to regulate tobacco, Congress instead passed multiple laws directly addressing the problem of tobacco use and human health. The Supreme Court believed that this refusal to grant the FDA the requested authority, while at the same time passing laws creating its own legislative scheme, meant that Congress “understood that the FDA is without jurisdiction to regulate tobacco products and ratified that position.”
Here, too, the FTC had asked Congress to grant it the broad authority over data security which the agency did not believe it possessed under Section 5. The key difference is that when Congress then passed laws touching on data security with this backdrop of disavowals in place, in several instances Congress granted the FTC the authority to act within certain narrow areas. While Judge Salas interpreted Brown v. Williamson as requiring the agency’s assertion of authority to directly contradict Congress’ intent as expressed in recent statutes, there is no principled reason why granting an agency some aspects of the authority it seeks in specific areas, as opposed to refusing to grant the agency any new authority, points to a different idea on the part of Congress as to the agency’s existing scope of authority. Both can be consistent with an agency not having power to operate in the area. Indeed, Wyndham made a compelling argument that the new grants of power by Congress in the statutes that addressed data security would in fact be superfluous if the FTC already held the necessary authority, an argument Judge Salas waved away by pointing to the fact that to some extent the statutes were not merely superfluous because they provided for different standards of injury in certain cases (leaving unanswered the fact that in other respects the statutes were superfluous if the FTC already had the requisite powers).
Given these infirmities in the district court’s decision, there is certainly room for another district court (or any Circuit Court) to find differently as to the scope of the FTC’s unfairness authority. While agencies may be free to alter their interpretation of statutes over time, another court initially or on further review may find that where an agency disavows a particular type of authority, then petitions Congress to acquire it, and then when rejected by Congress simply ignores its lack of authority and begins bringing enforcement actions, this is nothing more than a naked power grab by the agency. But, the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming.
Like it or not, “non-regulated” businesses are likely already subject to certain data security standards. Multiple statutes and regulations embody requirements to reasonably protect certain information, At the federal level, there is the E-SIGN Act, the Fair Credit Reporting Act, the Fair and Accurate Credit Transactions Act, and the Children’s Online Privacy Protection Act, just to name a few. At the State level, we have breach notification laws in 47 states and actual encryption requirements for certain data elements in a growing number (see the recently introduced payment-related security legislation in California). In the global context, the EU Data Protection Directive requires the implementation of appropriate security measures for the protection of personal information. In addition, there are often contractual obligations, such as the Payment Card Industry Data Security Standard, and “self-regulatory” standards, such as those found in the DAA’s self-regulatory principles. And now, as cyber and breach insurance policies are becoming more in-demand, insurance companies are requiring representations about their insured’s data security practices. But most often, there are just the plain old promises that companies make in their privacy policies.
What should businesses do in light of this new reality?
We’ve already covered the fact that this is an order by a single federal district court judge on a motion to dismiss—it is nothing more than preliminary. Further, the FTC has said that it is not trying to apply anything beyond “reasonable,” as tailored to the hospitality industry and the risk of harm. But what is “reasonable”? Can a pamphlet on the FTC’s website create the standard of “reasonableness”? Or are companies obligated to follow every FTC enforcement action and consent decree, compile a database of the outcomes and then constantly tweak their business practices based on the latest outcome? We will have to wait for some time to get a final disposition in this case, but in the meantime, here are some practical tips:
Assess Risk
In this environment of uncertainty, it is worth asking yourself and others in your company just how well you secure data. All departments need to partner with other groups in the organization who collect, access, store or use consumer data (that’s customer, potential customers, visitors and employee information). What is “reasonable” will depend on the company’s size, business and technological capabilities as well as the nature and amount of information it collects. Periodic risk assessments are already required by some security programs, such as the PCI Data Security Standards. There are several risk models that can be employed, but you should start by identifying the threats to your business and your data. You can start by asking:
  • Who is responsible for your organization’s security program?
  • Have you identified your data assets and determined the need for protection as a result of legal requirements and business need?
  • Do you run background checks on personnel who handle protected data?
  • Do you have the paper trail of NDAs, records of access, retention policies and internal audits?
  • Do you go beyond paper policies and train personnel who handle protected data? Do you periodically refresh and reinforce that training (e.g. implementing “pop-quizzes” or internal “spear-phishing” attempts)?
  • Do you physically secure your computers and servers against unauthorized physical access?
  • Do you have a system for alarms or shutdowns in the event of apparent unauthorized access?
  • Do you restrict access to protected information to need-to-know personnel?
  • Do you have a method to audit all those in your organization who access, store, or retrieve personal data?
  • Do you secure networked workstations and other devices with firewalls, password policies, and centralized patch management?
  • Do you secure your network perimeter, limit remote access and maintain intrusion detection and response systems? Do you review the logs, monitor alarms, and respond accordingly?
  • Do you protect data at rest and in transit?
  • Do you have policies, procedures, and teams in place to respond immediately to breach?
  • Do you have contracts in place that commit service providers, vendors and other counterparties to security, limited data uses, audit and breach response, and indemnity?
Mind the Gaps
Once you have made your assessment, be prepared to remediate policies and processes that may expose your company to security threats. Common remediation activities include:
  • Assign responsibility for the security function. Cross-functional “committees” are great for consensus and buy-in, but know the one person or office that is going to be ultimately responsible (and accountable) for implementation and maintenance of your security program.
  • Data loss prevention (DLP) tools can help block employees and others from ex-filtrating confidential data.
  • Employee training can help stop unintentional disclosures.
  • Encrypt sensitive data
  • Implement administrative, physical and technical safeguards no less rigorous than those required by industry standards, such as
    • ISO-IEC 27001:2005 and ISO-IEC 27002:2005
    • The HIPAA Security Rule (if applicable)
    • PCI DSS 3.0 for payment card data; and
    • GLB requirements for federally regulated financial entities.
Audit
Data security is not a one-time, fix-it and move on initiative. Threats change and so will your security needs. Similarly, as people change within the organization, processes can be disrupted, altered or altogether forgotten. Once a security program is established, organizations should audit their policies against the ongoing practices. Did the software get the patches? Was Tom’s access removed when he left the company? You must be vigilant in monitoring your program—the hackers certainly will be. And even though you will be the victim, in regulators’ and plaintiffs’ eyes, you may also be blamed.
 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.